What is Invicti?

| Application Security
100% Signal 0% Noise

Scanner
HOME / SUPPORT / GETTING STARTED / WHAT IS INVICTI? | APPLICATION SECURITY SCANNER

Support
Invict Enterprise and Invicti Standard are automated and fully configurable web
application security scannersthat enable you to scan websites, web applications,
Search in support

and services, and identify security flaws. Both of them scan all types of web
applications, regardless of the platform or the language with which they are built.
Invicti Help Center
Invicti scanner is the only online web application security scanner that automatically
Our Support team is ready to provide you with technical help.
exploits identified vulnerabilities in a read-only and safe way in order to confirm
Go to Help Center
identified issues. It also presents proof of the vulnerability so that you don’t waste
This will
time redirect you
manually to our ticketing
verifying it. system.

Support Categories Menu

GETTING STARTED

THIS DOCUMENT IS FOR:

Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

ByOur
usingscanning technology
this website you agree with our is
usedesigned
of cookies to to helpitsyou
improve secure
performance andweb applications
enhance your experience.without
OK
More information in our Privacy Policy.
any fuss, so you can focus on fixing the reported vulnerabilities. If the scanner
 This is what a Cross-site Scripting vulnerability report looks like, where the Proof
URL is what the scanner uses to exploit the vulnerability.

Proof of Exploit

A Proof of Exploit reports that data is extracted from the exploited target. It
demonstrates the impact an exploited vulnerability can have and proves that it is not
a false positive. For example, when exploiting a command injection
vulnerability and generating a Proof of Exploit for it, the scanners only read data to
show the task list without executing them.

This is what it looks like in the case of a command injection vulnerability, as reported
in Invicti Enterprise.

By using this website you agree with our use of cookies to improve its performance and enhance your experience.
More information in our Privacy Policy.
 Invicti scanners generate proof when they identify the following vulnerability types:

● SQL Injection

● Boolean SQL Injection

● Blind SQL Injection

● Remote File Inclusion (RFI)

● Command Injection

● Blind Command Injection

● XML External Entity (XXE) Injection

● Remote Code Evaluation

● Local File Inclusion (LFI)

● Server-side Template Injection

● Remote Code Execution

● Injection via Local File Inclusion

By using this website you agree with our use of cookies to improve its performance and enhance your experience.
More information in our Privacy Policy.
 If the scanner can’t automatically prove the vulnerability exists, you will be advised
so that you can double-check its findings.

Benefits of Proof-Based ScanningTM technology

Here are some of the key benefits:

● You don’t have to manually verify detected vulnerabilities, so you have

more time for fixing them.

● You don’t have to be a seasoned security professional, since results are

automatically confirmed for you. There is no need to know how to
reproduce the findings.

● Finding vulnerabilities in web applications costs you less since you can
assign it to less technical people.

● If you are a QA, you won't be sent back by the developers to prove that
there is a vulnerability in their code.

● As a developer or service provider, you don’t need to convince your

superior or customer to fix their issues, simply show them the proof!

NOTE:
● The accuracy of Invicti’s Proof-Based Scanning currently
stands at slightly over 99.98%, according to the company’s
security researchers that reviewed the last 5 years’
statistics.
● This accuracy means that when it marks a vulnerability as
confirmed, you can be 99.98% sure that the issue is real,
exploitable, and not a false positive.

By using this website you agree withAlso,

our usethe research revealed that and
theenhance
scanner provides
●
of cookies to improve its performance your experience.
accurate automatic confirmation for 94.74% of all direct-
More information in our Privacy Policy.
 impact vulnerabilities it detects.

For more information, refer to Proof-Based Scanning: No noise, just

facts.

Issues

An Issue is the name, type, date, and other details of any detected vulnerability. For
more information, refer to Issues.

Severities

Each vulnerability is assigned a different severity or threat level according to the

damage it could do and the urgency with which it requires fixing. For more
information, refer to Vulnerability Severity Levels.

Scan Policies

Invicti scanners use Scan Policies in order to determine and specify the type, range,
and targets of your scan according to your needs. For more information, refer to
Scan Policies.

Scheduled Scans

Scans can be launched immediately or they can be scheduled for times when it best
suits you, including at regular intervals. For more information, refer to Scheduling
Scans.

Integrations
By using this website you agree with our use of cookies to improve its performance and enhance your experience.
More information in our Privacy Policy.
 Invicti integrates with a wide range of software and tools that enable you to connect
with your existing SDLC, including vulnerability management systems, issue
tracking systems, continuous integration systems, single sign-on providers, team
messaging systems, and web application firewalls. For more information, refer to
Integrations.

What is the difference between Invicti

Enterprise and Invicti Standard?

Invicti Enterprise is a scalable, multi-user web application security solution and

Invicti Standard is an on-premises desktop web vulnerability scanner.

Invicti crawling and scanning technology

Invicti scanner has industry-leading scanning technology. Both editions are built
around the same crawling and Proof-Based Scanning technology. In terms of
coverage, detection of vulnerabilities, and security flaws, you get the same results.

Overview of Invicti web application security scanners

Invicti Standard was built for those who are more hands-on – security engineers,
penetration testers, and developers – and scan typically less than 50 websites.

By using this website you agree with our use of cookies to improve its performance and enhance your experience.
More information in our Privacy Policy.
 Invicti Enterprise is a scalable, multi-user online vulnerability scanner with built-in
enterprise workflow and testing tools. Because it is a browser-based cloud platform,
you don’t need to buy, license, install or support hardware or software. You can also
launch as many web application security scans as you want within minutes.

Scalability of service
Scalability is the major difference between the editions. If you need to scan multiple
websites at the same time, you can manually launch multiple instances of the
Standard scanner. Alternatively, with Invicti Enterprise, you can scan thousands of
websites at once.

Feature highlight: Target Groups

Invicti Enterprise enables you to group targets (websites), configure generic scan
settings and launch or schedule a web security scan with a single click.

Keeping up with the latest web security threats

ByFollow
using this our web
website application
you agree with our use security
of cookies toblog
improveand you will and
its performance notice that
enhance yourwe frequently
experience.
More information in our Privacy Policy.
release software updates. In fact, our list of vulnerabilities checks grows daily.
 Releasing frequent updates ensures that you can scan your web applications against
the latest security threats and vulnerabilities. The response time for releasing new
security checks is also critical especially when a vulnerability such as Apache
Struts is discovered and being exploited in the wild.
● Invicti Standard checks for updates every time it is launched. You can apply
updates in minutes.
● Invicti Enterprise is maintenance-free. We update the service and updates
are automatically available.

Web security scanner adaptability

Typically, desktop software is more configurable than an online service. The reason
is because an online service is built around an engine that is designed to cater for a
wider variety of customers. Therefore, it has fewer configurable parameters,
resulting in a number of limitations.
But, this is not the case with the Invicti scanners. Anything that can be configured in
Invicti Standard can also be configured in Invicti Enterprise, such as the URL rewrite
rules and other crawling options, HTTP connection properties and other scan policy
settings.

Team collaboration
● Invicti Standard is a desktop application that is designed for a single user
who has access to the computer on which it is installed.
By using this website you agree with our use of cookies to improve its performance and enhance your experience.
More information in our Privacy Policy.
 ● Invicti Enterprise is a multi-user environment. Every team member has their
own user account in the Invicti Enterprise edition and with the right
privileges can launch web application security scans, view reports and
issues. As an administrator, you can configure different privileges for each
user.

Feature highlight: Vulnerability management and tasks

Just like dedicated bug tracking systems, Invicti Enterprise enables you to assign
identified vulnerabilities as tasks to team members for remediation. This is an
essential feature when you are tracking the security of many web applications.

By using this website you agree with our use of cookies to improve its performance and enhance your experience.
More information in our Privacy Policy.
 Tasks marked as Fixed (Unconfirmed) are automatically rescanned. Depending on
the result, they are either closed or reopened and reassigned.

The vulnerability management system is designed to ensure every user knows what
they need to do, and for results and fixes to be checked automatically. You can also
integrate your existing bug tracking solution.

By using this website you agree with our use of cookies to improve its performance and enhance your experience.
More information in our Privacy Policy.
 Web application security scans in your SDLC
Both Standard and Enterprise editions can be easily integrated into your SDLC and
Continuous Integration processes.
● Invicti Standard has command line support allowing you to easily write
scripts that can be triggered by other applications to launch automated
scans.
● Invicti Enterprise has an extensive and well documented API that you can
use to trigger any type of action available in the Invicti Enterprise
dashboard. In addition, it has native plugins that allow for continuous
integration with tools such as TeamCity, Jenkins, Bamboo, GitLab and
Azure that help to expand Invicti's capabilities.

Keeping web applications secure

Launching a single web application security scan and remediating the identified
vulnerabilities can be quite difficult. It is even more demanding to scan all web
applications frequently and ensure that detected vulnerabilities are fixed, and that
the applied fixes don’t open new security flaws.
● If you use Invicti Standard, you can compare different scan results on the
same website. Our Retest and Incremental scans allow you to pinpoint the
differences between scans and keep track of all issues. It's easy to compare
results, but time consuming if you have lots of websites.
● This is where Invicti Enterprise shines. Its trending and correlated
reports are automatically updated each time a website or web application
is scanned. This negates the need to manually compare results.

By using this website you agree with our use of cookies to improve its performance and enhance your experience.
More information in our Privacy Policy.
 Manual crawling and security scanning

If you need to manually crawl a website or a section of it, you'll need to proxy the
traffic through the scanner so it will capture it, identify attack surfaces, and then
scan them. Invicti Standard can be used for manual crawling.

With Invicti Enterprise, you can’t as it is a cloud based product. Nevertheless, you
can still achieve the same results by configuring a browser to proxy the traffic
through a local proxy (such as Fiddler) and capture the traffic. Once you capture the
traffic, you can import the Fiddler capture to Invicti Enterprise and launch the scan.

Enterprise or Standard web application

security scanner?
● If you have a small team and a small number of websites, and you prefer to
be more hands-on, Invicti Standard is the best option.
● If you operate in a large team and have many websites and web
applications to secure, and need supporting tools to ensure collaboration
among the team members, Invicti Enterprise is recommended. You will also
have access to the Invicti Standard edition for each user.

TOP ARTICLES

By using this website you agree with our use of cookies to improve its performance and enhance your experience.
More information in our Privacy Policy.
What is Invicti?